The Notice of Privacy Practices describes how AC Wellness may use or disclose patients’ protected health information, informs patients of their rights, and advises patients of AC Wellness’ responsibilities to them with respect to their protected health information. Please review this carefully.

JOINT NOTICE OF PRIVACY PRACTICES

Effective Date: March 19, 2018

As required by the privacy regulations created as a result of the Health Insurance Portability and Accountability Act of 1996 (HIPAA):

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Organized Health Care Arrangement The healthcare providers listed in Exhibit A of this joint Notice of Privacy Practices are part of an organized healthcare arrangement (“OHCA”). An OHCA is: (i) a clinically integrated setting in which individuals typically receive healthcare from more than one healthcare provider or (ii) an organized system of healthcare in which more than one health care provider participates. The providers will share medical and billing information about you with one another as may be necessary to carry out treatment, payment, and healthcare operations activities. The providers are not Apple Inc. employees, and Apple Inc. exercises no control over the provider’s independent professional judgment. The providers are independent contractors who each exercise their own independent professional judgment in the provision of your healthcare.

Joint Notice This Joint Notice of Privacy Practices (the “Notice”) constitutes the Notice for the OHCA and all of the healthcare providers participating in the OHCA. Kaiser Permanente members will also receive the Kaiser Permanente Notice of Privacy Practices and be subject to that notice. The healthcare providers who participate in the OHCA, and to whom this Notice applies, include the providers (sometimes referred to in this Notice as “we” or “us”), listed in Exhibit A attached to this Notice and each provider’s staff, employees, volunteers, and business associates. The OHCA and the Notice apply to services provided at the wellness centers located in Santa Clara Valley, California in Sacramento, California and in Austin, Texas (the “Wellness Centers”) and do not extend to services provided outside of the Wellness Centers.

Individual Responsibility of Members of the OHCA

Each member of the OHCA takes its independent responsibility to protect your individually identifiable health information (also called protected health information, or PHI) seriously. Each member of the OHCA is individually responsible for its own activities, including compliance with this Notice and all other privacy related laws.

A. Our commitment to your privacy: We are dedicated to maintaining the privacy of your protected health information. In conducting the activities of the Wellness Centers, we will receive information and create records regarding you and the treatment and services we provide to you. We are required by law to maintain the confidentiality of health information that identifies you. We also are required by law to provide you with this notice of our legal duties and the privacy practices that we maintain concerning your PHI. By federal and state law, we must follow the terms of the Joint Notice of Privacy Practices that we have in effect at the time.

We realize that these laws are complicated, but we must provide you with the following important information:

How we may use and disclose your PHI;

Your privacy rights in your PHI; and

Our obligations concerning the use and disclosure of your PHI.

The terms of this notice apply to all records containing your PHI that are created, received or retained by members of the OHCA. We reserve the right to revise or amend this Notice. Any revision or amendment to the Notice will be effective for all of your records that we have created or maintained in the past, and for any of your records that we may create or maintain in the future. We will post a copy of our current Notice in the Wellness Centers in a visible location at all times, and you may request a copy of our most current Notice at any time. A revised Notice may be obtained either at the Wellness Centers or by providing a written request to the applicable Compliance Officer.

B. Your personal information: We keep records of the medical care we provide you, and we may receive similar records from others. We use this information so that we, or other health care providers, can render quality medical care, obtain payment for services and enable us to meet our professional and legal responsibilities to provide care at the Wellness Centers. We may store this information in a chart and in our computers. This information makes up your medical record. The medical record is our property; however, this Notice explains how we use information about you and when we are allowed to share that information with others.

C. Our privacy practices: We not only use traditional methods to deliver care but also cutting edge technology to help deliver quality care to our patients. It is our policy to maintain reasonable and feasible physical, electronic and process safeguards to restrict unauthorized access to and protect the availability and integrity of your health information. Our protective measures may include secured office facilities, locked file cabinets, managed computer network systems and password protected accounts. Access to health information is only granted on a “need-to-know” basis. Once the need is established the access is limited to the minimum necessary information to accomplish the intended purpose. Members of the OHCA are required to comply with the policies and procedures designed to protect the confidentiality of your health information.

D. If you have questions about this Notice, please contact the applicable Privacy/Compliance Officer listed below at:

To You. To you or someone who has the legal right to act for you (your personal representative) in order to administer your rights as described in this notice.

Department of Health and Human Services. To the Secretary of the Department of Health and Human Services, if necessary, to make sure your privacy is protected.

F. We may use and disclose your PHI in the following ways:

The following categories describe the different ways in which we may use and disclose your PHI.

Treatment. We may use your PHI to treat you. For example, we may ask you to have laboratory tests (such as blood or urine tests), and we may use the results to help us reach a diagnosis. We might use your PHI in order to write a prescription for you, or we might disclose your PHI to a pharmacy when we order a prescription for you. Many of the people providing you services including, but not limited to, our doctors and nurses – may use or disclose your PHI in order to treat you or to assist others in your treatment. Additionally, we may also receive and disclose your PHI to other health care providers for purposes related to your treatment.

Payment. We may use and disclose your PHI in order to bill and collect payment for the services and items you may receive from us. In addition, and by way of example of disclosures for payment purposes, we may disclose your PHI to other health care providers and entities to assist in their billing and collection efforts.

Health care operations. We may use and disclose your PHI to operate our business. As examples of the ways in which we may use and disclose your information for our operations, we may use your PHI to evaluate the quality of care you received from us and to engaged in quality improvement activities, or to conduct cost-management and business planning activities. To de-identify your PHI (i.e., removal all individually identifiable health information) and use such de-identified PHI as described below in the Section “Use and Disclosure of Your PHI in Certain Special Circumstances.”

Appointment reminders. We may use and disclose your PHI to contact you and remind you of an appointment.

Treatment options. We may use and disclose your PHI to inform you of potential treatment alternatives or other health-related benefits and services that may be of interest to you.

Health-related benefits and services. We may use and disclose your PHI to inform you of health-related benefits or services that may be of interest to you. However, to the extent that we undertake marketing of any type, we will obtain your prior authorization as described below.

Release of information to family/friends. We may release your PHI to a friend or family member that is involved in your care, or who assists in taking care of you. However, any such disclosure will be subject to legal requirements.

Disclosures required by law. We will use and disclose your PHI when we are required to do so by federal, state or local law.

G. Use and Disclosure of Your PHI in Certain Special Circumstances:

The following categories describe unique scenarios in which we may use or disclose your identifiable health information without your authorization:

1. Publichealth risks. We may disclose your PHI to public health authorities that are authorized by law to collect information for the purpose of:

Maintaining vital records, such as births and deaths;

Reporting child abuse or neglect;

Preventing or controlling disease, injury or disability;

Notifying a person regarding potential exposure to a communicable disease;

Notifying a person regarding a potential risk for spreading or contracting a disease or condition;

Reporting reactions to drugs or problems with products or devices;

Notifying individuals if a product or device they may be using has been recalled;

Notifying appropriate government agency(ies) and authority(ies) regarding the potential abuse or neglect of an adult patient (including domestic violence); however, we will only disclose this information if the patient agrees or we are required or authorized by law to disclose this information; or

2. Reporting Victims of Abuse, Neglect, or Domestic Violence. We may disclose your PHI to government authorities authorized by law to receive such information, including social service.

3. Health oversight activities. We may disclose your PHI to a health oversight agency for activities authorized by law. Oversight activities can include, for example, investigations, inspections, audits, surveys, licensure and disciplinary actions; civil, administrative and criminal procedures or actions; or other activities necessary for the government to monitor government programs, compliance with civil rights laws and the health care system in general.

4. Lawsuits and similar proceedings. We may use and disclose your PHI in response to a court or administrative order, if you are involved in a lawsuit or similar proceeding. We also may disclose your PHI in response to a discovery request, subpoena or other lawful process by another party involved in the dispute, but only if we have made an effort to inform you of the request or to obtain an order protecting the information the party has requested.

5. Law enforcement. We may release PHI if asked to do so by a law enforcement official:

Regarding a crime victim in certain situations, if we are unable to obtain the person’s agreement;

Concerning a death we believe has resulted from criminal conduct;

Regarding criminal conduct at our offices;

In response to a warrant, summons, court order, subpoena or similar legal process;

To identify/locate a suspect, material witness, fugitive or missing person; or

In an emergency, to report a crime (including the location or victim(s) of the crime, or the description, identity or location of the perpetrator).

6. Deceased patients. We may release PHI to a medical examiner or coroner to identify a deceased individual or to identify the cause of death. If necessary, we also may release information in order for funeral directors to perform their jobs.

7. Organand tissue donation. We may release your PHI to organizations that handle organ, eye or tissue procurement or transplantation, including organ donation banks, as necessary to facilitate organ or tissue donation and transplantation if you are an organ donor.

8. Research. We may use and disclose your PHI for research purposes in certain limited circumstances, including we may use your PHI for purposes preparatory to research such as to identify research studies that may be of relevance to you in order to seek your authorization to participate. We may also use or disclose your PHI for research purposes when an Internal Review Board or Privacy Board has determined that the waiver of your authorization satisfies all of the following conditions:

The use or disclosure involves no more than a minimal risk to your privacy based on the following: (i) an adequate plan to protect the identifiers from improper use and disclosure; (ii) an adequate plan to destroy the identifiers at the earliest opportunity consistent with the research (unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law); and (iii) adequate written assurances that the PHI will not be re-used or disclosed to any other person or entity (except as required by law) for authorized oversight of the research study, or for other research for which the use or disclosure would otherwise be permitted;

The research could not practicably be conducted without the waiver; and

The research could not practicably be conducted without access to and use of the PHI.

9. Serious threats to health or safety. We may use and disclose your PHI when necessary to reduce or prevent a serious threat to your health and safety or the health and safety of another individual or the public. Under these circumstances, we will only make disclosures to a person or organization able to help prevent the threat.

10. Military. We may disclose your PHI if you are a member of U.S. or foreign military forces (including veterans) and if required by the appropriate authorities.

11. National security. We may disclose your PHI to federal officials for intelligence and national security activities authorized by law. We also may disclose your PHI to federal and national security activities authorized by law. We also may disclose your PHI to federal officials in order to protect the president, other officials or foreign heads of state, or to conduct investigations.

12. Inmates. We may disclose your PHI to correctional institutions or law enforcement officials if you are an inmate or under the custody of a law enforcement official. Disclosure for these purposes would be necessary: (a) for the institution to provide health care services to you, (b) for the safety and security of the institution, and/or (c) to protect your health and safety or the health and safety of other individuals.

13. Workers’ compensation. We may release your PHI for workers’ compensation and similar programs.

14. Business Associates. We may disclose your PHI to third party vendors known as “business associates” that perform functions on our behalf or provide us with services if the information is necessary for such functions or services. Our business associates are required, under contract with us and pursuant to federal law, to protect the privacy of your information.

15. Change of Ownership. In the event that one of the healthcare providers’ entities is sold or merged with another organization, your medical record will become the property of the new owner, although you will maintain the right to request that copies of your health information be transferred to another healthcare provider.

16. De-Identified Data. We may use or share your PHI once it has been “de-identified.” PHI is considered de-identified when it has been processed in such a way that it can no longer personally identify you in accordance with applicable federal privacy requirements.

17. Limited Data Sets. We may also use a “limited data set” that does not contain any information that can directly identify you. This limited data set may only be used for the purposes of research, public health matters or health care operations. For example, a limited data set may include your city, county and zip code, but not your name or street address.

H. ReceivingPHI from providers, insurance entities and their business associates:

We want to make you aware that, just as we use and disclose certain PHI in your treatment, our operations and management and certain payment practices, we receive PHI from other healthcare entities and their business associates including but not limited to: medical files, charts,laboratory testing results, imaging results, and insurance claims data. PHI that is received and maintained by us from outside entities is subject to the protections of relevant law.

I. Your written permission:

Except as described in this Notice, or as otherwise permitted by law, we must obtain your written permission – called an authorization – prior to using or sharing health information that identifies you as an individual. If you provide an authorization and then change your mind, you may revoke your authorization in writing at any time. Once an authorization has been revoked, we will no longer use or share your health information as outlined in the authorization form; however you should be aware that we won’t be able to retract a use or disclosure that was previously made in good faith based on what was then a valid authorization from you.

Except as specified above, under California law we may not share your health information with your employer or benefit plan unless you provide us an authorization to do so.

J. Uses and Disclosures Requiring Authorization:

Psychotherapy Notes: We will obtain your authorization prior to using or disclosing psychotherapy notes, except for use by the originator of the psychotherapy notes for treatment, for our own training programs to assist in the improvement of the care we provide, for proper oversight of the originator of the psychotherapy notes and where necessary to defend ourselves in a legal action brought by the subject of the psychotherapy notes.

Marketing: We must obtain your authorization prior to using or disclosing PHI for marketing purposes, including subsidized treatment communications, except during a face-to-face communication or when providing a promotional gift of nominal value.

Sale of PHI: Disclosures or uses that may constitute the sale of PHI will only be made if we obtain the required authorization from you.

Other Uses and Disclosures: Prior to any use or disclosure of PHI, which is not described in this notice, we will obtain your authorization.

K. Other Restrictions:

In California and Texas there may be additional laws regarding the use and disclosure of health information related to HIV status, communicable diseases, reproductive health, genetic test results, substance abuse, mental health, and abuse records. Generally, we will be bound by whatever law is more stringent and provides more protection for your privacy.

L. Your rights regarding your PHI:

You have the following rights regarding the PHI that we maintain about you:

1. Confidentialcommunications. You have the right to request that we communicate with you about your health and related issues in a particular manner or at a certain location. For instance, you may ask that we contact you at home, rather than work. In order to request a type of confidential communication, you must make a written request to the applicable Compliance Officer and inform us of the requested method of contact, or the location where you wish to be contacted. We will accommodate reasonable requests. You do not need to give a reason for your request.

2. Requesting restrictions. You have the right to request a restriction in our use or disclosure of your PHI for treatment, payment or health care operations. Additionally, you have the right to request that we restrict our disclosure of your PHI to only certain individuals involved in your care or the payment for your care, such as family members and friends. We are not required to agree to your request; however, if we do agree, we are bound by our agreement except when otherwise required by law, in emergencies or when the information is necessary to treat you. In order to request a restriction in our use or disclosure of your PHI, you must make your request in writing to the applicable Compliance Officer.

Your request must describe in a clear and concise fashion:

The information you wish restricted;

Whether you are requesting to limit our use, disclosure or both; and/or

To whom you want the limits to apply. Notwithstanding the above, in any instance where you or another individual, who is not your health plan, pays out-of-pocket and in full for any service or item that we provide to you, you have the right to request restrictions on the PHI we may disclose to your health plan related to those items and services. We will accommodate all such requests, unless required by law to make a disclosure.

3. Inspection and copies. You have the right to inspect and obtain a copy of the PHI that may be used to make decisions about you, including patient medical records and billing records, but not including psychotherapy notes. If we maintain your health information electronically, you will have the right to request that we send a copy of your health information in an electronic format to you. You can also request that we provide a copy of your information to a third party that you identify. You must submit your request in writing to the applicable Compliance Officer in order to inspect and/or obtain a copy of your PHI. We may charge a fee for the costs of copying, mailing, labor and supplies associated with your request. We may deny your request to inspect and/or copy in certain limited circumstances; however, you may request a review of our denial. Another licensed health care professional chosen by us will conduct reviews.

4. Amendment. You may ask us to amend your health information that may be used to make decisions about you, if you believe it is incorrect or incomplete, and you may request an amendment for as long as the information is kept by or for us. To request an amendment, your request must be made in writing and submitted to applicable Compliance Officer.

You must provide us with your request in writing and a reason that supports your request for amendment. We will deny your request if you fail to submit your request (and the reason supporting your request) in writing. Also, we may deny your request if you ask us to amend information that is in our opinion: (a) accurate and complete; (b) not part of the PHI kept by or for the practice; (c) not part of the PHI which you would be permitted to inspect and copy; or (d) not created by us, unless the individual or entity that created the information is not available to amend the information.

5. Accounting of disclosures. All of our patients have the right to request an “accounting of disclosures.” An “accounting of disclosures” is a list of certain non-routine disclosures we have made of your PHI for purposes not related to treatment, payment, operations or limited other purposes that federal law does not require us to provide an accounting. Use of your PHI as part of the routine patient care by the providers is not required to be accounted – for example, the doctor sharing information with the nurse; or the billing department using your information to file your insurance claim. In order to obtain an accounting of disclosures, you must submit your request in writing to the applicable Compliance Officer.

All requests for an “accounting of disclosures” must state a time period, which may not be longer than six (6) years from the date of disclosure. The first list you request within a 12-month period is free of charge, but we may charge you for additional lists within the same 12-month period. We will notify you of the costs involved with additional requests, and you may withdraw your request before you incur any costs.

6. Rightto a paper copy of this notice. You are entitled to receive a paper copy of our Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. To obtain a paper copy of this Notice, contact the applicable Compliance Officer.

7. Right to file a complaint. If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, contact the applicable Compliance Officer. All complaints must be submitted in writing. You will not be penalized for filing a complaint.

8. Right to provide an authorization for other uses and disclosures. We will obtain your written authorization for uses and disclosures that are not identified by this Notice or permitted by applicable law. Any authorization you provide to us regarding the use and disclosure of your PHI may be revoked at any time in writing. After you revoke your authorization, we will no longer use or disclose your PHI for the reasons described in the authorization. Please note: we are required to retain records of your care.

9. Right to Receive Notification of a Breach: We are required to notify you of any instance in which there has been a breach of your unsecured PHI.

Again, if you have any questions regarding this Notice or our health information privacy policies, please contact the Privacy/Compliance Officer listed above. If you would like a hard copy of this Notice, please ask for one at the front desk or contact the Privacy/Compliance Officer listed above.